picoCTF Secret of the Polyglot — ForensicsChallenge- Walkthrough

This challenge provide with a suspicious file, and the goal is to analyze it to determine what kind of file it is and extract hidden information.

Site URL: https://play.picoctf.org/practice/challenge/423?category=4&difficulty=1&page=1&search=

Description

The Network Operations Center (NOC) of your local institution picked up a suspicious file, they’re getting conflicting information on what type of file it is. They’ve brought you in as an external expert to examine the file. Can you extract all the information from this strange file? Download the suspicious file here.

Hints

1. This problem can be solved by just opening the file in different ways.

Solution

Save the File

Since the browser opened the file as a PDF, we need to download it to our computer to check it in different ways.

1. Right-click on the file in the browser.
2. Click “Save As” or “Download”.
3. Do not change the file extension (keep it as .pdf).

Open PowerShell and navigate to the Downloads folder

cd C:\Users\owner\Downloads

Verify that the file exists

Get-ChildItem flag2of2-final.pdf

This file contains only the second part of the flag: 1n_pn9_&_pdf_53b741d6}

Check for Hidden Text Inside the PDF and Check PDF Metadata

Select-String -Path flag2of2-final.pdf -Pattern "picoCTF"
Get-Item flag2of2-final.pdf | Format-List *

• Result: No text found inside the PDF. The first part of the flag is still hidden.
• Conclusion: We need a different method to analyze the file.

Check the File Type

Format-Hex flag2of2-final.pdf

PNG — 89 50 4E 47 0D 0A 1A 0A — PNG Image File
PDF — 25 50 44 46 (%PDF) — PDF Document
ZIP — 50 4B 03 04 — ZIP Archive
JPEG — FF D8 FF — JPEG Image

The first few bytes of the file are 89 50 4E 47 0D 0A 1A 0A

Find the PDF Header

We can clearly see the PDF header inside the file: %PDF-1.4

This confirms that the file contains both PNG and PDF data, making it a polyglot file.

A polyglot file is a single file that is valid in multiple formats at the same time. This means that different programs may interpret the same file differently, depending on how they read it.

For example:

A file can be both a PNG image and a PDF.
A file can be both a ZIP archive and a JavaScript file.
A file can run as an executable but also be a text file.

This trick is often used in malware, and steganography (hiding data inside files).

Renaming the File to PNG and opening it

Rename-Item flag2of2-final.pdf flag2of2-final.png
Start-Process flag2of2-final.png

Result: The image contains part of the flag

The text inside the PNG file is: picoCTF{f1u3n7_

Now, combine it with the second part (from the PDF analysis): 1n_pn9_&_pdf_53b741d6}

flag: picoCTF{f1u3n7_1n_pn9_&_pdf_53b741d6}

Final Thoughts

This challenge was an excellent exercise in file analysis, binary inspection, and polyglot file manipulation — all essential skills in cybersecurity and Capture The Flag (CTF) competitions.

By following a structured approach, we successfully:

• Downloaded and examined the suspicious file.
• Checked the file format and metadata using PowerShell commands.
• Identified that the file contained both PNG and PDF headers, confirming it was a polyglot file.
• Extracted text from the PDF, revealing part of the flag.
• Renamed the file to PNG and opened it, revealing the hidden image with the remaining flag part.
• Combined both flag parts and submitted the correct answer.

This challenge highlights the importance of understanding file structures, leveraging command-line tools, and thinking outside the box when analyzing potentially manipulated or misleading files. Polyglot files are often used in malware, steganography, and exploit development, making them a valuable topic in cybersecurity.

Key Takeaway

In cybersecurity, what you see is not always what you get — files can be disguised, embedded with hidden data, or manipulated to appear as something else. The key is to analyze thoroughly, verify file formats, and extract hidden information using the right tools.

Stay curious, keep exploring, and never take file extensions at face value — because in cybersecurity, deception is everywhere.